[4.0.138377.779] CIS does NOT update running applications list (and even worse)

Hi there,

On Windows Vista Home Basic x86 SP2
CIS 4.0.138377.779 (Firewall in Custom Policy Mode and Defense+ in Paranoid Mode, Sandbox enabled but with Automatic sandboxing disabled)
Running software: avast! 5 Free (5.0.462), MBAM 1.45 beta, Windows Defender and Daemon Tools Lite.

CIS v4 does not update the running applications list. This bug can be seen mostly on user-mode applications such those that are executed via Start\Run. It does update the system-side applications (services.exe and child processes), but there are sometimes some glitches.

If you try to finish some of the processes that are listed there, but you happen to choose an already terminated one, sometimes it won’t respond, but other times it’ll say “Pure virtual function call” (related to C++ runtime?) and close down.

Last time cfp.exe crashed, it generated the attached dump.

I’ll see if I can get you some screenshot of the issue.

EDIT: Attached a screenshot of the applications list and a Process Explorer list at the same time.
Do notice how many applications are listed after the csrss/lsass/winlogon processes (ie. all processes started by me within the session) in CIS, whereas at the same time Process Explorer does not report most of them.

[attachment deleted by admin]

Narrowed down the issue.
It appears (now I can say it DOES, at least on my system) when Microsoft Security Essentials is installed and running on the computer.
More specific, it bugs when MpFilter (MSE’s kernel minifilter) and MsMpSvc (MSE’s service) are running, so the only way to get rid of the issue is stopping both services.
However, it seems that applications started after the loading of MpFilter and terminated before its stopping won’t be removed from the Applications List screen.

Thanks for all your work in tracking this down. It is not always possible to run two security suites on the same computer, but I think Comodo will try to resolve conflicts where possible.

One approach is to exempt all the files from each security suite from the real-time monitoring processes of the other security suite. If you cannot exempt files from some monitoring functions, try making these files as trusted as possible (eg in D+ make them ‘Windows System’).

Best wishes

Mouse

Before I forget, Mouse1, I’d like to clarify one thing: I’m running only the Firewall part of CIS (Comodo Firewall Pro), not the AV. Nevertheless, the conflict between MSE and CFP appears even if I don’t have avast! 5 (the other AV) installed.

I’m confused you said: “Defense+ in Paranoid Mode”? and “Sandbox enabled”?

Best wishes

Mouse

Oh, let me explain.

Defense+ mode is set to “Paranoid Mode”.

As regards the Sandbox, in Sandbox Settings window, the Sandbox Security slider is set to “Enabled”, and all options in both tabs are ticked but the following ones:

  • Automatically run unrecognized programs inside the Sandbox
  • Automatically detect installer/updaters and run them outside the Sandbox

(that’s why I said “Automatic sandboxing disabled”).

OK so the approach I suggest remains, as Defence+ monitors software in real time and prevents it doing things.

The Microsoft program & Avast will probably have real time AV monitoring, and may have some facilities similar to, but weaker than D+, too.

Possibly easier, while this is fixed, to install Microsoft’s Process Explorer - this give more info than the running applications list. (Just google it - easy to find - alongside a lot of other goodies)

Best wishes

Mouse

I already have Process Explorer :slight_smile:
The TXT I attached at my first post is a list it generated with all the applications running, in order to make a contrast with what CIS was detecting at the same time (tons of apps running, see the screenshot).

An easy way to do this (though somewhat insecure) is to exempt, or give high level trusted status to, the whole program files/ directory in each case.

Best wishes

Mouse